一段时间以来,我一直在内部系统中使用相同的通配符证书。我已将证书添加(并信任)到我的 OSX 钥匙串中。但是,当我尝试使用 Chrome 访问我的网站时,仍然会收到错误:
Attackers might be trying to steal your information from jenkins.kensnet.priv (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
Subject: *.kensnet.priv
Issuer: *.kensnet.priv
Expires on: Oct 18, 2023
Current date: May 16, 2017
This server could not prove that it is jenkins.kensnet.priv; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection.
如何让 Chrome 允许此通配符证书?
答案1
您需要重新创建证书并分配一个 SubjectAltName。这在我使用 Brew 的 OSX 10.11.6 上有效:
openssl req -x509 -sha256 -nodes -days 3650 \
-newkey rsa:2048 -keyout visible.priv.key \
-out kensnet.priv.crt -subj "/CN=*.kensnet.priv" \
-reqexts SAN -extensions SAN -config <(cat /usr/local/etc/openssl/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:*.kensnet.priv'))